CVE-2026-33636

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Name of the Vulnerable Software and Affected Versions LIBPNG versions 1.6.36 through 1.6.55

Description An out-of-bounds read and write exists in the ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying if sufficient input pixels remain. Because the implementation operates backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer, leading to an out-of-bounds read, and writes expanded pixel data to those same underflowed positions, causing an out-of-bounds write. This issue is reachable through the normal decoding of attacker-controlled PNG input if Neon is enabled.

Recommendations Update to version 1.6.56.

Exploit

Fix

RCE

Memory Corruption

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-125

Related Identifiers

ALSA-2026:7671

ALSA-2026:7672

ALSA-2026:8052

ALSA-2026:8459

ALSA-2026:9345

ALSA-2026:9638

ALSA-2026:9693

CVE-2026-33636

ECHO-42F8-ED7B-D9F3

GHSA-WJR5-C57X-95M2

MGASA-2026-0070

OESA-2026-1852

OPENSUSE-SU-2026:10451-1

OPENSUSE-SU-2026:20466-1

RHSA-2026:6732

RHSA-2026:7671

RHSA-2026:7672

RHSA-2026:8052

RHSA-2026:8459

RHSA-2026:9254

RHSA-2026:9345

RHSA-2026:9638

RHSA-2026:9693

SUSE-SU-2026:1368-1

SUSE-SU-2026:21000-1

SUSE-SU-2026:21038-1

SUSE-SU-2026:21067-1

SUSE-SU-2026:21138-1

USN-8251-1

Affected Products

Libpng

Rocky Linux

CVE-2026-33636

Weakness Enumeration

Related Identifiers

Affected Products

References · 100